๐จ CVE-2025-52982
An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC.
This issue affects Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions from 21.4R1,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6.
As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected.
This issue does not affect MX-SPC3 or SRX Series devices.
๐@cveNotify
An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC.
This issue affects Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions from 21.4R1,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6.
As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected.
This issue does not affect MX-SPC3 or SRX Series devices.
๐@cveNotify
๐จ CVE-2025-52983
A UI Discrepancy for Security Feature
vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device.
On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root.
This issue affects Junos OS:
* all versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S5,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S3,
* 24.2 versions before 24.2R1-S2, 24.2R2.
๐@cveNotify
A UI Discrepancy for Security Feature
vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device.
On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root.
This issue affects Junos OS:
* all versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S5,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S3,
* 24.2 versions before 24.2R1-S2, 24.2R2.
๐@cveNotify
๐จ CVE-2025-52984
A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device.
When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts.
This issue affects:
Junos OS: * all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S7-EVO,
* 23.2-EVO
versions before 23.2R2-S3-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO.
๐@cveNotify
A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device.
When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts.
This issue affects:
Junos OS: * all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S10,
* 22.2 versions before 22.2R3-S6,
* 22.4 versions before 22.4R3-S6,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R1-S2, 24.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S7-EVO,
* 23.2-EVO
versions before 23.2R2-S3-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO.
๐@cveNotify
๐จ CVE-2025-52985
A Use of Incorrect Operator
vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.
When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered.
This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.
This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.
This issue affects Junos OS Evolved:
* 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,
* 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,
* 24.2R2-EVO versions before 24.2R2-S1-EVO,
* 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO.
๐@cveNotify
A Use of Incorrect Operator
vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions.
When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered.
This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output.
This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes.
This issue affects Junos OS Evolved:
* 23.2R2-S3-EVO versions before 23.2R2-S4-EVO,
* 23.4R2-S3-EVO versions before 23.4R2-S5-EVO,
* 24.2R2-EVO versions before 24.2R2-S1-EVO,
* 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.
This issue doesn't affect Junos OS Evolved versions before 23.2R1-EVO.
๐@cveNotify
๐จ CVE-2025-52986
A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device.
When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart.
The leak can be monitored with the CLI command:
show task memory detail | match task_shard_mgmt_cookie
where the allocated memory in bytes can be seen to continuously increase with each exploitation.
This issue affects:
Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S11,
* 22.2 versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S7,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2,
* 24.4 versions before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
* all versions before 22.2R3-S7-EVO
* 22.4-EVO versions before 22.4R3-S7-EVO,
* 23.2-EVO versions before 23.2R2-S4-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO,
* 24.4-EVO versions before 24.4R2-EVO.
๐@cveNotify
A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device.
When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart.
The leak can be monitored with the CLI command:
show task memory detail | match task_shard_mgmt_cookie
where the allocated memory in bytes can be seen to continuously increase with each exploitation.
This issue affects:
Junos OS:
* all versions before 21.2R3-S9,
* 21.4 versions before 21.4R3-S11,
* 22.2 versions before 22.2R3-S7,
* 22.4 versions before 22.4R3-S7,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2,
* 24.4 versions before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
* all versions before 22.2R3-S7-EVO
* 22.4-EVO versions before 22.4R3-S7-EVO,
* 23.2-EVO versions before 23.2R2-S4-EVO,
* 23.4-EVO versions before 23.4R2-S4-EVO,
* 24.2-EVO versions before 24.2R2-EVO,
* 24.4-EVO versions before 24.4R2-EVO.
๐@cveNotify
๐จ CVE-2026-21911
An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
* all versions before 21.4R3-S7-EVO,
* from 22.2 before 22.2R3-S4-EVO,
* from 22.3 before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-S2-EVO,
* from 23.2 before 23.2R2-S1-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
๐@cveNotify
An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
* all versions before 21.4R3-S7-EVO,
* from 22.2 before 22.2R3-S4-EVO,
* from 22.3 before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-S2-EVO,
* from 23.2 before 23.2R2-S1-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
๐@cveNotify
๐จ CVE-2026-23769
lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
๐@cveNotify
lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.
๐@cveNotify
๐จ CVE-2025-14757
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment.
๐@cveNotify
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment.
๐@cveNotify
๐จ CVE-2025-14844
The Membership Plugin โ Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
๐@cveNotify
The Membership Plugin โ Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership.
๐@cveNotify
cwe.mitre.org
CWE -
CWE-639: Authorization Bypass Through User-Controlled Key (4.19.1)
CWE-639: Authorization Bypass Through User-Controlled Key (4.19.1)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
๐จ CVE-2025-59870
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
๐@cveNotify
HCL MyXalytics is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
๐@cveNotify
Hcl-Software
Security Bulletin : HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret - Customer Support
HCL MyXalytics v6.7 is affected by improper management of a static JWT signing secret.
๐จ CVE-2025-14894
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
๐@cveNotify
Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.
๐@cveNotify
GitHub
GitHub - livewire-filemanager/filemanager: A simple, friendly and practical Livewire filemanager for your applications
A simple, friendly and practical Livewire filemanager for your applications - livewire-filemanager/filemanager
๐จ CVE-2026-0612
The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian.
๐@cveNotify
The Librarian contains a information leakage vulnerability through the `web_fetch` tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure. The vendor has fixed the vulnerability in all versions of TheLibrarian.
๐@cveNotify
mindgard.ai
TheLibrarian.io's AI Security Is Checked Out, and Their Disclosure Response - Mindgard
The Mindgard platform identified high severity vulnerabilities in TheLibrarian.io platform
๐จ CVE-2026-0613
The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
The Librarian contains an internal port scanning vulnerability, facilitated by the `web_fetch` tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning of the Hertzner cloud environment that TheLibrarian uses. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
mindgard.ai
TheLibrarian.io's AI Security Is Checked Out, and Their Disclosure Response - Mindgard
The Mindgard platform identified high severity vulnerabilities in TheLibrarian.io platform
๐จ CVE-2026-0615
The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
mindgard.ai
TheLibrarian.io's AI Security Is Checked Out, and Their Disclosure Response - Mindgard
The Mindgard platform identified high severity vulnerabilities in TheLibrarian.io platform
๐จ CVE-2026-0616
TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.
๐@cveNotify
mindgard.ai
TheLibrarian.io's AI Security Is Checked Out, and Their Disclosure Response - Mindgard
The Mindgard platform identified high severity vulnerabilities in TheLibrarian.io platform
๐จ CVE-2025-15104
Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).
๐@cveNotify
Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).
๐@cveNotify
Fluidattacks
Nu Html Checker (validator.nu) - Restriction bypass vulnerability allowing local SSRF | Fluid Attacks
CVE-2025-15104: Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources.
๐จ CVE-2025-70298
GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.
๐@cveNotify
GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.
๐@cveNotify
GitHub
POC/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md at main ยท zakkanijia/POC
Contribute to zakkanijia/POC development by creating an account on GitHub.
๐จ CVE-2025-70304
A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
๐@cveNotify
A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
๐@cveNotify
GitHub
POC/gpac_vobsub/GPAC_vobsub.md at main ยท zakkanijia/POC
Contribute to zakkanijia/POC development by creating an account on GitHub.
๐จ CVE-2025-70305
A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file.
๐@cveNotify
A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file.
๐@cveNotify
GitHub
POC/gpac_saf/GPAC_SAF.md at main ยท zakkanijia/POC
Contribute to zakkanijia/POC development by creating an account on GitHub.
๐จ CVE-2025-70308
An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.
๐@cveNotify
An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.
๐@cveNotify
GitHub
POC/gpac_gsf/GPAC_gsf.md at main ยท zakkanijia/POC
Contribute to zakkanijia/POC development by creating an account on GitHub.
๐1
๐จ CVE-2025-70309
A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file.
๐@cveNotify
A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file.
๐@cveNotify
GitHub
POC/gpac_rawpcm/GPAC_RFPCM.md at main ยท zakkanijia/POC
Contribute to zakkanijia/POC development by creating an account on GitHub.